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Secure  From  the  Start:  Designing  and  Implementing  an 
Assured  National  Security  Enterprise 


LTG  Keith  B.  Alexander 
National  Security  Agency!  Central  Security  Service 

The  Global  Information  Grid  (GIG)  information  assurance  (L4)  architecture  is  the  embodiment  of  an  Enterprise  lA  model 
and  is  being  designed  to  support  the  entire  National  Security  Enterprise  with  input  from  the  Department  of  Defense, 

Department  of  Homeland  Security,  and  intelligence  community.  It  is  an  essential  enabler  of  the  GIG  Net-Centric  Warfare 
vision.  National  Security  Agency  (NSA)  architects  have  identified  innovative  lA  approaches  to  support  dynamic,  secure 
enterprise-wide  information  sharing.  Porfolio  management  for  the  effort  is  being  provided  by  the  GIG  lA  Porfolio 
Management  Office  at  NSA  in  partnership  with  Office  of  the  Secretary  of  Defense,  and  the  Military  Services,  commands 
and  agencies. 


The  Global  Information  Grid 
(GIG)  is  a  Department  of 
Defense  (DoD)  initiative  to  develop 
an  assured  global  information  technol¬ 
ogy  (IT)  enterprise  that  will  enable  its 
strategic  objectives  of  information 
superiority  and  net-centric  warfare 
(NCW).  NCW  is  a  set  of  warfighting 
concepts  and  capabilities  that  provide 
for  worldwide  access  to  information 
and  services  —  anytime,  anyplace  — 
allowing  the  warfighter  to  take  full 
advantage  of  all  available  information 
and  bring  all  available  assets  to  bear  on 
the  mission  in  a  rapid  and  flexible 
manner.  To  achieve  this  vision,  the 
DoD  is  transforming  the  way  it  oper¬ 
ates,  communicates,  and  uses  informa¬ 
tion  to  include  expanding  user  access 
to  a  much  richer  set  of  information 
and  collaboration  capabilities.  Infor¬ 
mation  assurance  (lA)  is  a  critical 
enabler  of  the  GIG  and  the  DoD 
strategic  objectives. 

Roles  and  Responsibilities 

The  National  Security  Agency/Central 
Security  Service  (NSA/CSS)  is  an 
active  participant,  partner,  and  leader 
in  making  net-centricity  a  reality.  Due 
to  NSA/ CSS’s  unique  position  of  per¬ 
forming  both  offensive  and  defensive 
missions,  the  Assistant  Secretary  of 
Defense  for  National  Information 
Infrastructure  (ASD/NII)  tasked 
NSA/CSS  to  provide  the  lA  architec¬ 
tural  guidance  and  lA  portfolio  man¬ 
agement  to  deliver  the  DoD’s  GIG 
vision.  We  are  partnering  with  U.S. 
Strategic  Command  (STRATCOM), 
the  Joint  Staff,  the  Defense  Infor¬ 
mation  Systems  Agency  (DISA),  and 
the  Military  Services  in  defining  and 
implementing  a  secure,  net-centric 
operating  environment.  Additionally, 
we  are  working  with  the  intelligence 
community  (IC)  to  drive  the  increased 


sharing  of  critical  data  securely. 

The  NSA/CSS’s  Enterprise  lA 
Architecture  and  Systems  Engineering 
Office,  in  partnership  with  the  GIG 
community,  leads  the  effort  to  define  a 
GIG  lA  architecture  that  includes 
enterprise-level  lA  strategies,  guid¬ 
ance,  standards,  policies,  systems 
requirements,  and  technologies  neces- 

^^Dynamic  interactions 
in  a  net-centric 
collaboration  and 
information-sharing 
environment  require  a 
greater  level  of 
interdependency 
between  systems/* 

sary  to  realize  DoD’s  net-centric  GIG 
vision.  While  the  office’s  principal 
focus  is  on  supporting  the  GIG,  its 
work  is  broadly  applicable  to  net-cen¬ 
tric  enterprise  efforts  across  the  IC, 
Department  of  Homeland  Security 
(DHS),  Information  Sharing 
Environment  (ISE),  and  other  federal 
information  technology  (IT)  enterpris¬ 
es.  These  national  security  communi¬ 
ties  require  the  development  of  an 
assured  global  national  security  IT 
enterprise  to  transform  the  way  they 
operate,  communicate  and  use  infor¬ 
mation  to  accomplish  their  missions. 
NSA/CSS’s  lA  support  will  help 
ensure  that  communications,  informa¬ 
tion  sharing,  and  infrastructure  avail¬ 
ability  are  not  barriers  to  the  nation’s 
security. 


lA  Vision 

The  DoD  net-centric  lA  vision  is  to 
enable  a  dynamic,  information-sharing 
environment  that  delivers  secure  infor¬ 
mation  at  the  right  time,  to  the  right 
recipient,  and  in  the  right  format 
under  every  circumstance.  This  envi¬ 
ronment  must  be  securely  managed 
and  protected  enterprise-wide  from 
threats  posed  by  adversaries.  Providing 
enterprise-wide  protection  of  the 
dynamic  information-sharing  environ¬ 
ment  requires  a  cohesive,  integrated 
approach  to  lA  that  enhances  policies, 
procedures,  technologies,  and  training. 

Enterprise  lA  Model 

In  the  past,  a  system-high  security 
approach  was  taken  to  secure  the  sys¬ 
tem  containing  the  information.  The 
system-high  security  model  requires 
the  system  to  operate  at  the  level  of 
the  highest  information  classification 
and  the  protection  mechanisms  be 
approved  to  protect  the  highest  classi¬ 
fication  level  of  information  con¬ 
tained  within  the  system.  Additionally, 
every  user  had  to  be  cleared  for  that 
level  of  access  (i.e.,  if  the  highest  clas¬ 
sification  of  information  being 
processed  in  a  system  is  SECRET, 
then  all  the  systems  and  interconnec¬ 
tions  involved  in  sharing  this  informa¬ 
tion  need  to  be  protected  and  need  to 
meet  the  security  requirements  for 
protecting  SECRET  information). 

Dynamic  interactions  in  a  net-cen¬ 
tric  collaboration  and  information¬ 
sharing  environment  require  a  greater 
level  of  interdependency  between  sys¬ 
tems.  The  traditional  system-high 
security  approach  cannot  be  used  to 
support  dynamic  interactions  between 
systems  in  this  variable  environment. 
The  dynamic  interactions  occur  in  an 
environment  where  trustworthiness 
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varies  between  the  users  participating 
in  the  collaboration  and  sharing,  the 
systems  supporting  the  collaboration 
and  sharing,  and  the  sensitivity  levels 
of  the  information  being  shared. 
These  collaborative  users  form  groups 
commonly  referred  to  as  communities 
of  interest  (COI).  A  COI  is  any  group 
of  users  that  needs  to  exchange  infor¬ 
mation  to  accomplish  a  given  mission. 
COIs  may  be  pre-established  users 
with  ongoing  agreements,  or  may 
develop  on  an  ad-hoc  basis  and  may 
include  both  traditional  (e.g.,  coalition 
forces  for  military  engagements)  or 
non-traditional  partners  (e.g.,  federal, 
state,  or  local  government  agencies  in 
support  of  disaster  relief  missions). 
The  dynamic  interactions  require  that 
the  protection  approach  for  informa¬ 
tion  sharing  shift  to  a  transaction- 
based  Enterprise  LT  model. 

Under  this  new  model,  information 
exchanged  as  part  of  a  transaction  is 
protected  to  a  level  appropriate  for  the 
information  being  exchanged.  That  is, 
dynamic  mechanisms  are  used  to 
determine  whether  or  not  information 
should  be  shared  and  under  what  con¬ 
ditions.  The  approach  to  realizing  the 
assured  GIG  vision  is  shaped  by  the 
following  set  of  guiding  principles 
essential  for  the  transformation  of  lA: 

•  Separation  of  Information 
Protection  from  Infrastructure 
Protection  (i.e.,  protecting  infor¬ 
mation  wherever  it  resides).  Past  lA 
models  focused  predominantly  on 
protecting  the  physical  computing 
and  data  storage  devices  and  their 
communications  infrastructure  (e.g. 
gates,  guards,  dogs,  and  link/net- 
work  encryptors).  Net-centric  lA 
will  augment  and  evolve  current 
communication  infrastructure  pro¬ 
tections  to  allow  for  a  dynamic,  dis¬ 
tributed  perimeter  where  end-to- 
end  object-level  information  pro¬ 
tection  reduces  (and  perhaps  even¬ 
tually  replaces)  the  physically  sepa¬ 
rate  networks  used  across  the  com¬ 
munity  today.  This  includes  pro¬ 
tecting  data  in  storage,  packets, 
messages,  and  sessions  in  transit  in 
addition  to  the  networks. 

•  Policy-Driven  Enterprise.  The 
impacts  of  system  outages,  degra¬ 
dations,  and  cyber  attacks  will  sig¬ 
nificantly  expand  in  the  net-centric 
environment.  Interdependence  and 
interconnection  of  systems  will 
affect  our  ability  to  contain  these 
impacts.  A  digital  policy  driven 
enterprise  that  enables  dynamic. 


highly  automated  and  coordinated 
establishment  and  enforcement  of 
information  access,  mission  priori¬ 
ty,  resource  allocation,  and  cyber 
attack  response  will  counter  this 
increased  threat.  It  will  also  provide 
the  ability  to  adjust  resources  to 
ensure  that  the  highest  priority 
missions  receive  the  resources 
needed  for  their  success. 

•  Support  for  Varying  Levels  of 
Trust.  Today  we  define  a  single 
standard  for  protection  of  infor¬ 
mation  that  resides  within  a  sys¬ 
tem-high  environment.  As  we 
move  forward  into  the  highly  inter¬ 
connected  net-centric  environ¬ 
ment,  the  enterprise  will  need  to 
ensure  information  is  sufficiently 
protected  while  supporting  collab¬ 
oration  and  information  sharing 
across  environments  where  the 
users  and  their  systems  have  vary¬ 
ing  levels  of  trustworthiness. 


'We  must  develop  and 
apply  robust  tools, 
technology,  and 
operational  approaches 
to  actively  defend 
our  networks/* 

•  Persistent  Monitoring  and  Mis¬ 
use  Detection.  Counterbalancing 
the  increased  cyber  and  insider 
threats  brought  about  by  the 
broader  sharing  and  greater  inter¬ 
connectivity  of  systems  requires 
enhanced  cybersituational  aware¬ 
ness  and  network  defense  capabili¬ 
ties.  We  must  develop  and  apply 
robust  tools,  technology,  and  oper¬ 
ational  approaches  to  actively 
defend  our  networks.  A  key  part  of 
this  strategy  is  to  shift  to  a  distrib¬ 
uted  enterprise  sensor  grid,  in 
which  IT  components  throughout 
the  enterprise  provide  sensor 
inputs.  Persistent  monitoring  devel¬ 
ops  cybersituational  awareness 
through  analysis  of  the  sensor  grid 
inputs  across  classification  levels, 
missions,  and  COIs.  This  capability 
is  critical  to  improving  the  ability  to 
detect  misuse  and  insider  threats. 

•  Greater  Use  of  lA-enabled  IT 
Components.  Today’s  lA  capabili¬ 
ties  are  implemented  in  a  bolt-on 


approach  (e.g.  add-on  security 
products)  as  specialized  lA  appli¬ 
ances  primarily  deployed  at  the 
enterprise  perimeters.  The  Enter¬ 
prise  lA  model  requires  lA  func¬ 
tionality  to  be  distributed  across  IT 
components  as  well  as  greater 
reliance  on  software-based  lA 
functionality  combined  with 
greater  assurance  and  trust  in  the 
host  computing  platforms.  This 
new  enterprise  protection  model 
i^a/kes  in  lA  functionality  by  requir¬ 
ing  it  to  be  designed  and  built  into 
IT  components  from  their  incep¬ 
tion,  and  requires  increased  trust¬ 
worthiness  in  those  components  to 
correctly  perform  their  lA  func¬ 
tionality.  The  terms  bolt  on  and 
baked  in  are  diametrically  opposed. 
Bolted-on  security  implies  that  it 
has  been  added  after  the  fact. 
Baked-in  security  requires  that  the 
security  features  be  designed  and 
integrated  throughout  the  system 
lifecycle,  from  concept.  Baked  in  is 
inherently  superior  because  it  guar¬ 
antees  that  complementary,  mutu¬ 
ally  supportive  approaches  and 
technologies  are  employed. 

•  Evolution  to  Dynamic  Security 
Management.  Today,  the  manage¬ 
ment  of  security  is  primarily 
focused  on  the  generation  and  dis¬ 
tribution  of  public  key  certificates 
and  cryptographic  keys  for  crypto¬ 
graphic  devices.  In  an  environment 
where  enterprise  protection  relies 
on  an  array  of  lA-enabled  IT  prod¬ 
ucts,  the  concept  of  security  man¬ 
agement  must  expand  to  support 
not  only  a  more  automated,  net- 
centric  key  management  capability, 
but  it  must  also  evolve  to  support 
security  services  such  as  identity, 
privilege,  audit,  and  lA  configura¬ 
tion  management.  With  the  devel¬ 
opment  of  a  more  comprehensive 
toolkit  of  security  management 
capabilities,  they  can  be  applied  to 
support  the  active  defense  of  our 
networks  by  dynamically  reconfig¬ 
uring  access  to  network  resources  as 
directed  by  network  security  policy 
and  informed  by  persistent  moni¬ 
toring  and  situational  awareness. 

GIG  lA  Architecture 

The  GIG  lA  architecture  is  the 
embodiment  of  the  Enterprise  Ld  model 
into  a  set  of  architectural  products 
(e.g.,  operational,  system,  and  technical 
views)  that  defines  the  lA  strategies 
and  capabilities  to  ensure  protection 
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of  the  information,  availability,  and 
assured  control  of  the  GIG  IT  infra¬ 
structure.  Assured  operation  in  the 
high-risk,  end-state  environment  of 
the  GIG  will  require  unprecedented 
changes  to  its  information,  services, 
and  infrastructure.  Full  integration  of 
lA  solutions,  with  the  appropriate  lA 
functionality  and  robustness  within 
nearly  every  IT  component  of  the 
GIG  enterprise,  will  be  paced  by 
resources  and  commitment.  Thus, 
over  the  next  decade,  the  GIG  enter¬ 
prise  will  undergo  an  incremental  evo¬ 
lution  toward  the  end-state  vision  with 
new  lA  capabilities  phased  in  as  oper¬ 
ations,  technologies,  resources,  and 
policy  permits.  The  gap  between  the 
near-term  capabilities  and  the  end- 
state  vision  will  be  bridged  through 
one  or  more  incremental  rollouts  of 
interim  lA  capabilities.  The  GIG  lA 
architecture  strategy  will  serve  as  the 
foundation  for  delivering  lA  capabili¬ 
ties  to  the  IC,  DoD,  NSA/CSS,  DHS, 
ISE,  and  other  federal  agencies  com¬ 
prising  the  National  Security 
Community. 

GIG  lA  Portfolio 
Management:  Implementing 

the  GIG  lA  Architecture 

On  October  10,  2005,  the  Deputy 
Secretary  of  Defense  approved  the 
DoD  IT  Portfolio  Management 
Directive,  otherwise  referred  to  as 
DoD  Directive  8115.01.  This  directive 
dramatically  changes  the  way  that 
DoD  manages  major  initiatives  and 
the  projects  that  comprise  them.  To 
comply  with  the  guidance  referenced 
in  the  introduction,  the  DoD  Chief 
Information  Officer  (CIO),  as  the 
Enterprise  Information  Environment 
Mission  Area  (EIEMA)  lead,  estab¬ 
lished  Enterprise  Information 
Environment  domains,  and  named 
domain  owners,  including  the  Office 
of  the  Assistant  Secretary  of 
Defense/Networks  and  Information 
Integration  as  the  domain  owner  for 
lA.  The  latter,  in  turn,  appointed  the 
Director,  National  Security  Agency 
(DIRNSA)  as  the  lA  domain  agent  to 
lead  the  DoD’s  portfolio  management 
lA  activities.  In  September  2005, 
DIRNSA  created  the  GIG  Infor¬ 
mation  Assurance  Portfolio  (GIAP) 
management  office  to  execute  these 
duties  on  his  behalf.  Though  located  at 
NSA/CSS  and  initially  staffed  with 
NSA/CSS  personnel,  this  is  a  commu¬ 
nity  office  and  will  eventually  grow  to 


include  other  community  members 
from  across  the  national  security  com¬ 
munity. 

Developing  an  assured  GIAP  will 
not  be  managing  all  of  the  service  and 
agency  lA  programs.  That  will  be  left 
to  the  services  and  agencies  them¬ 
selves.  The  GIAP  has  established  a 
community-wide  portfolio  manage¬ 
ment  working  group  to  work  closely 
with  ASD/NII  and  its  defense-wide 
lA  program  office,  and  representatives 
from  STRATCOM,  Joint  Staff,  DISA, 
and  the  Services  to  examine  the  lA 
programs  to  determine  the  capabilities 
they  deliver  and  the  capabilities  they 
are  depending  on  to  achieve  success  as 
well  as  at  the  timing  of  the  programs 
to  ensure  they  are  aligned.  This  syn- 

*^The  GIG  is  an 
exciting  and 
challenging 
undertaking  that 
will  need  participation 
and  partnership  by 
the  DoD,  IC, 

DHS,  industry,  and 
academic  communities/* 

chronization  is  important  to  ensure 
that  DoD  dollars  are  being  invested 
optimally. 

The  GIG  is  an  exciting  and  chal¬ 
lenging  undertaking  that  will  need  par¬ 
ticipation  and  partnership  by  the  DoD, 
IC,  DHS,  industry,  and  academic  com¬ 
munities.  NSA/CSS  has  defined  a 
defense-in-depth  lA  strategy  that  relies  on 
intrinsic,  baked-in  security  and  dynam¬ 
ic  management,  which  focuses  on  pro¬ 
tecting  information  in  addition  to  the 
communications  networks.  That,  along 
with  extrinsic  testing  and  analysis  of 
residual  risks  and  implemented  with 
sound  network  security  design,  pro¬ 
vides  effective  24/7  operations. 

NSA/CSS  continues  to  contribute 
to  the  information  sharing  needs  of 
the  men  and  women  serving  in  harms 
way,  actively  fighting  terrorism,  and 
defending  our  country.  NSA/CSS  has 
committed  senior-level  managers, 
technical  leaders,  and  a  deep  cadre  of 
technical  experts  to  make  the  GIG 


vision,  through  the  GIG  lA  architec¬ 
ture  and  portfolio  management,  a  suc¬ 
cess. ♦ 

Information  Sources 

1.  Department  of  Defense  Directives: 
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link.mil  /  nii  /  global_Info_grid. 
html>. 

3.  Department  of  Defense  Global 

Information  Grid  Information 
Assurance:  <https://gesportal. 
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